<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE></TITLE>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.3157" name=GENERATOR></HEAD>
<BODY text=#000000 bgColor=#ffffff>
<DIV dir=ltr align=left><SPAN class=522035719-28092007><FONT face=Arial
color=#0000ff size=2>Thanks Wes. Filtering management IP address is
standard security practice on routers and switches, and is easy to
implement. Do you know if there is a feature request for something similar
in callmanager?</FONT></SPAN><BR></DIV>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> Wes Sisk [mailto:wsisk@cisco.com]
<BR><B>Sent:</B> September 28, 2007 13:03<BR><B>To:</B> Eric
Pedersen<BR><B>Cc:</B> cisco-voip@puck.nether.net<BR><B>Subject:</B> Re:
[cisco-voip] user access to ccmuser web pages<BR></FONT><BR></DIV>
<DIV></DIV>Eric,<BR><BR>Good clarification. Nothing built into the product
to allow this, but sounds like a good use of a proxy server. AONS/firewall would
not work because it's https and encrypted on the wire.<BR><BR>/Wes<BR><BR>Eric
Pedersen wrote:
<BLOCKQUOTE
cite=mid:A58F94A553BA4742821241C8F3E76C9F04494A27@EX2.ACDM.DS.SAIT.CA
type="cite">
<META content="MSHTML 6.00.2900.3157" name=GENERATOR>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=491191618-28092007>I wasn't clear enough. We have a
limited range of IP addresses that are trusted for callmanager
administration, and we have larger IP ranges where our general user population
reside. I would like to filter what networks can access ccmadmin, os
admin, etc. so that the general user population can't even get to the login
screen. Because ccmadmin and ccmuser use the same tcp ports, and I
haven't found any way to change this, I cannot simply filter admin access with
router ACLs.</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=491191618-28092007></SPAN></FONT> </DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=491191618-28092007>Simple username and password authentication isn't a
particularly secure way to protect such a key piece of infrastructure ...
you're just one accidental password disclosure or web server bug away from a
hacked callmanager. </SPAN></FONT></DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> Wes Sisk [<A class=moz-txt-link-freetext
href="mailto:wsisk@cisco.com">mailto:wsisk@cisco.com</A>] <BR><B>Sent:</B>
September 28, 2007 12:14<BR><B>To:</B> Eric Pedersen<BR><B>Cc:</B> <A
class=moz-txt-link-abbreviated
href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</A><BR><B>Subject:</B>
Re: [cisco-voip] user access to ccmuser web pages<BR></FONT><BR></DIV>check
out the "Standard CCM End Users" group.<BR><BR>Eric Pedersen wrote:
<BLOCKQUOTE
cite=mid:A58F94A553BA4742821241C8F3E76C9F04494A00@EX2.ACDM.DS.SAIT.CA
type="cite">
<META content="MSHTML 6.00.2900.3157" name=GENERATOR>
<DIV><SPAN class=933023516-28092007><FONT face=Arial size=2>I'm using
callmanager 5.1. I want to enable general user access to the
callmanager ccmuser web pages. I have not seen any way to allow this
without also giving access to ccmadmin/osadmin/etc. web pages, which I
don't want to do for obvious security reasons. Is there a way to do
this?</FONT></SPAN></DIV>
<DIV><SPAN class=933023516-28092007></SPAN> </DIV>
<DIV><SPAN class=933023516-28092007><FONT face=Arial
size=2>Thanks,</FONT></SPAN></DIV>
<DIV><SPAN class=933023516-28092007><FONT face=Arial
size=2>Eric</FONT></SPAN></DIV><PRE wrap=""><HR width="90%" SIZE=4>
_______________________________________________
cisco-voip mailing list
<A class=moz-txt-link-abbreviated href="mailto:cisco-voip@puck.nether.net" moz-do-not-send="true">cisco-voip@puck.nether.net</A>
<A class=moz-txt-link-freetext href="https://puck.nether.net/mailman/listinfo/cisco-voip" moz-do-not-send="true">https://puck.nether.net/mailman/listinfo/cisco-voip</A></PRE></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML>